<div dir="ltr">+1 to include HTTPS support. I think the main point is that there needs to be a distinction between *public* and *confidential* clients, but that using the redirect URI to determine this is a bad idea.<div><br></div><div>Regarding localhost vs loopback IP literal:</div><div><br></div><div>The Native Apps draft recommends using loopback IP literals over localhost, as they are slightly superior. By default, 127.0.0.1 will strictly receive local traffic only – a desirable security property. It's also immune to hostname resolution issues (it's possible to break localhost resolution).</div><div><br></div><div>In my testing with .NET on Windows 10, opening a HTTP listener on "<a href="http://localhost">http://localhost</a>" opened a socket on all network interfaces and triggered a firewall dialog – while listening on "<a href="http://127.0.0.1">http://127.0.0.1</a>" did neither. I'm sure it's possible to configure which network interfaces to use with "localhost", but what I like about 127.0.0.1 is that you don't have to worry about that.</div><div><br></div><div>Since both are simple static constants – and one is better – I recommend the IP literal.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 21, 2017 at 9:59 AM, Roland Hedberg via Openid-specs-ab <span dir="ltr"><<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi!<br>
<br>
There is a thing we probably have to issue an errata for in the OIDC cleint registration document.<br>
<br>
This is the case:<br>
<br>
— In <a href="http://openid.net/specs/openid-connect-registration-1_0.html" rel="noreferrer" target="_blank">http://openid.net/specs/<wbr>openid-connect-registration-1_<wbr>0.html</a> it says in the text about<br>
application_type:<br>
<br>
”Native Clients MUST only register redirect_uris using custom URI schemes or URLs using the http: scheme with localhost as the hostname. "<br>
<br>
Now this conflicts with what is said in <a href="https://tools.ietf.org/id/draft-ietf-oauth-native-apps-09.html" rel="noreferrer" target="_blank">https://tools.ietf.org/id/<wbr>draft-ietf-oauth-native-apps-<wbr>09.html</a><br>
where in section 7 it lists these redirect URI options:<br>
7.1 Custom URI<br>
7.2 HTTPS<br>
7.3 loopback aka <a href="HTTP://127.0.0.1" rel="noreferrer" target="_blank">HTTP://127.0.0.1</a><br>
<br>
Furthermore in 8.6 it says about the use of loopback URI:<br>
"While redirect URIs using localhost (i.e. http://localhost:{port}/) function similarly to loopback IP redirects described in Section 7.3, the use of localhost is NOT RECOMMENDED. "<br>
<br>
-- Roland<br>
"Education is the path from cocky ignorance to miserable uncertainty.” - Mark Twain<br>
<br>
<br>
<br>
______________________________<wbr>_________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.<wbr>net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>ab</a><br>
</blockquote></div><br></div>